Multitenant organization (MTO): user licenses
Hello everyone, As described https://learn.microsoft.com/en-us/microsoft-365/enterprise/set-up-multi-tenant-org, I have created an MTO. It seems to have worked because I can see users from tenant A in tenant B. Everything looks correct, as the users have #EXT# in their usernames, their type is “Member”, and their identity is “ExternalAzureAD”. BUT they are all unlicensed. My question: is there a way to synchronize the licenses of the users, or do I really have to purchase the same license twice for a single user? Specifically, I am interested in the following licenses: Microsoft 365 Business Premium (access to Teams, SharePoint, Exchange Online shared mailboxes, etc.) Dynamics 365 licenses (e.g., Business Central). Thank you very much for your assistance, and warm regards, NicoJoin Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
Invitation Redemption modifying DisplayName attribute
Hi All, Haven't found much on this, other than someone with the same issue ~6 years ago and no further details. I'm generating guest user invites through Graph and configure the display name in a particular way. I've noticed that when that guest logs in for the first time, the display name changes, removing my custom configuration. I can see this in audit logs for the user account, corresponding to their login to the tenant for the first time where the account is moved from PendingAcceptance to Accepted. Activity Type: Update User Category: User Management Type: Application Display Name: Microsoft Invitation Acceptance Portal Is there a setting or flag to block this, ideally, they keep the same display name I set in the first place. Thanks!Entra ID Dynamic User security group - Syntax rule
Attempting to create a Dynamic user group for Microsoft consumer accounts in my B2B tenant. This should be very simple. Background data: Collection or array object - User.identities (Collection or array) - User.identities.issuer (Collection or array only when B2B guest/member) - User.identities.issuer (string when internal member) - User.identities.IssuerassignedID (Collection or array only when B2B guest/member) - User.identities.IssuerassignedID (string when internal member) - User.identities.SignInType (Collection or array only when B2B guest/member) - User.identities.SignInType (String when internal member) There seems to be ongoing issuers querying or filtering for user.identities.issuer, along with use of various filter combinations. Again, this should be very simple. I've tried multiple combinations of the below syntax rule. Does anyone have something that has worked for you? (user.identities -any (objectIdentity.issuer -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId -eq null)) (user.identities -any (objectIdentity.issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId (_ -eq null))) (user.identities -any (issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (issuerAssignedId (_ -eq null)))
Reset guest redemption status not possible after creating Multitenant Organization (MTO)
Hi all, we're on the path to creating a Multitenant Organization (MTO) for our global organization. We already have a relationship with one partner tenant which has B2B Collaboration and B2B Direct Connect set-up and is working well. We took the step of creating a Multitenant Organization in our 365 admin center and started testing with a sandbox tenant, which has since been removed. The issue we are having now, is that guest users which are not part of B2B Collaboration or an MTO cannot have their redemption status reset. I first found this wasn't possible from the error in a Power Automate workflow using Microsoft Graph, then confirmed I got the same error in Entra ID. The documentation for MTO was updated a few days ago and includes this, saying that as part of a multitenant organization, reset redemption for an already redeemed B2B user is currently disabled. But should this be the case for guest users not part of B2B Collaboration or Multitenant? Is this an error or expected behaviour, I wonder? Thanks!
How to map a user custom security attribute to OIDC id and access token ?
We are integrating keycloak with azure entra via OIDC. We have created custom security attribute to map some extension fields for the user. We tried to map these as tokens, but the custom security attributes doesn't show up in the dropdown under the token > add optional claims We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either ! Any help for this problem is deeply appreciated. Thanks, RaghavEnable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Multitenant collaboration - share users - can't choose groups
Hi all, I am configuring the new multitenant collaboration now that it's out of preview. When I last was testing it in preview, when I clicked "Share users" I was able to select an Entra ID group of users to share. Now the behaviour is different, it's only allowing me to select users', not groups. Am I missing something obvious here? Thanks!
Guest accounts and MFA via Conditional Access in MS Entra
Hi experts, trying to get some help on my scenario and issue that external users started to experience since I've enabled MFA for external identities & guest users via Conditional Access. We have lots of external partners that we share some documentation with from our SharePoint. Some time ago, I have enabled "MS Entra B2B Integration for SharePoint and OneDrive" so that any external user that access shared files/folders in our SharePoint gets a GUEST account created in our tenant. This was also preparation for enabling MFA for External users via Conditional Access. I believe these are called "B2B Collaboration guests" Now, few days ago, I have enabled MFA via Conditional Access for all external users and guests, enabled for all cloud apps and require MFA to grant access. Until now, I got feedback from two external partners that their existing access doesnt work anymore - and they need to go through MFA (which is expected). The problem is that when they go through MFA set up, it ends up in a "loop" - meaning, they go through all steps but when completing the last step they are returned back to the very 1st step again. So they: scan QR code successfully authenticate get the page that it was successful get back to the 1st step asking to install or use MS Auth app The user tried different browsers also with Incognito tabs... When I am checking sing-in logs: guest account is created fine the status is: "Interrupted" additional details: The user was presented options to provide contact options so that they can do MFA. conditional access forcing MFA is marked as FAILED as MFA was not completed Both external partners that reported this are using MS Entra and I see their IDENTITY as ExternalAzureAD. Have not heard back from anyone else using other than ExternalAzureAD so not sure if there is something extra that needs to be configured. Anyone experienced this issue? Any idea what can be wrong? I do not have any cross-tenant collaboration etc configured...
